I don't know yet--it's the next thing I'll need to figure out.
On 9/22/2014 5:55 AM, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Borislav,
On 9/20/14 11:57 PM, Borislav Trifonov wrote:
Switched to a configuration where Tomcat is now front-ended by
Nginx acting as a load balancer, so now the problem has moved to a
different spot.
Just curious: how does Nginx do this? IIRC, Nginx can use either
OpenSSL or GnuTLS. What does the configuration look like? It seems
reasonable for httpd/APR to support PSK... perhaps it can be added if
it does not already exist.
As for the PSK: the computational expense of key exchange (we have
many frequent short lived connections) is a con that brings zero
benefit to our setup, as the clients are fixed and already have the
symmetric keys.
Makes sense.
I could ask the inverse question: if one controls not just the
server but also the clients, what's the point of public key
crypto?
You never mentioned that you had "control" of the clients. Using PSKs
of course means you have some measure of control over the clients,
but it is not always so.
The only reason I'm relying on TLS is because the same server also
needs to occasionally support regular connections using
certificates.
Would it be an option to use something like stunnel (I'm not sure if
that allows PSKs, either) between the client and server? It's a lot of
extra processes, but it might get the job done.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUIBxHAAoJEBzwKT+lPKRYascP/jYod5rNgvfmJjF7FBdWp0ld
uVJJ6BnrfaNOwqEEjMMy/lj93k/bwrkNmdwivIjrQ8dV5HH1AS6HTFFJbU9lPril
fyY4Sz3HE9b1yDtKizqfxgs+7pJ6qCxRMY3LX/R/wk5R2RNgPvS8/0o1XeCsU3Ck
r8dh+wVH3eb0PpIRSvdc6jDZ9QoEyTgOZtqVrNwmeo5utVlszLm16rBenlrxHEen
iFHd7eVzayhsW7pvwNXaRO8UK5GpFKdE4yn3fEQu8OQmX3UR9hUREWJikE/3yszT
rSajQJW941YMw9fzW6B/tH8+JA21fvCL5pK7r2Nac+IWbXExRHbcdbtGpF2aUev9
184jE3W9qa27zanox4WCArkNwYSU4PskSpDfQPVCX6Wuem6fQP7zli+JA+HGHmdI
kRfTskkaH5u7fMANGJB7HVeH9GQIcBDHcsWpYeYVUB9sMk35TL8b3T/UvzP5SOGR
01doESxIsG5H10R9fUOKAEU2DIee+CmwMGWI58YbCNONWAabJ1tVIRzUp74XbfPc
aGPBie7p/xqpo/d9He5fnHWsyLLPHzyfsTRUnsCVwuCnZup/FRt1AnL1W6/TP4Lh
GpHc1EZxpXAlkEJPAGzVT3QwskGKg6RvQX3uqcIqquTdJ0o1OlpMfnFm6c59EwKa
Y825QMbFT7SZOL8ylSxu
=5Wp9
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
